Stephen,
On Tue, May 15, 2012 at 12:00 PM, Stephen Breen <breen.mach...@gmail.com> wrote:
> Actually that isn't a syntax error, just bad form :), it's been working for
> me for a few days. The +''+ in the line containing
> original_value+''+mutant_str is actually two single quotations, not a double
> quotation.
Ahhh! That's why it's not a syntax error, I reviewed the code over
gmail and in this UI it didn't look like two single quotes ;)
> It is just concatenating an empty string in between. I've removed
> that useless piece and here is the updated (and retested) diff:
>
> Index: core/data/fuzzer/fuzzer.py
> ===================================================================
> --- core/data/fuzzer/fuzzer.py (revision 5002)
>
> +++ core/data/fuzzer/fuzzer.py (working copy)
> @@ -498,7 +498,10 @@
> m.setVar( pname, index=element_index )
> m.setDc( dc_copy )
> m.setOriginalValue( original_value )
> - m.setModValue( mutant_str )
> + if(append):
> + m.setModValue(original_value+mutant_str)
>
> + else:
> + m.setModValue( mutant_str )
>
> # Done, add it to the result
> result.append( m )
>
I was applying your patch and found this some lines above your modified area:
if append:
dc_copy[pname][element_index] += mutant_str
else:
dc_copy[pname][element_index] = mutant_str
Which indicates that "we're handling the append case", the issue is...
that those lines are not working as expected. The problem was that the
setModValue "invalidated" the previous code. So, what I did was:
- Merge your "if append" with the old one
- Modified the test cases for the fuzzer in order to have a
specific test for append=True
All this can be seen in http://sourceforge.net/apps/trac/w3af/changeset/5012
Let me know if this is ok :)
Regards,
>
> On Tue, May 15, 2012 at 11:44 AM, Andres Riancho <andres.rian...@gmail.com>
> wrote:
>>
>> Stephen,
>>
>> On Wed, May 9, 2012 at 2:58 PM, Stephen Breen <breen.mach...@gmail.com>
>> wrote:
>> > I've been working on an HTTP Parameter Pollution plugin a little bit
>> > lately
>> > and noticed that the append functionality of createMutants in
>> > core/data/fuzzer/fuzzer.py doesn't seem to work, unless I'm
>> > misunderstanding
>> > its use. I've fixed it for my current purposes (simple query string
>> > mutants)
>> > by changing line 501 in fuzzer.py which is part of the
>> > _createMutantsWorker
>> > method as follows:
>>
>> I think your finding is correct, it seems to be a bug.
>>
>> > Index: core/data/fuzzer/fuzzer.py
>> > ===================================================================
>> > --- core/data/fuzzer/fuzzer.py (revision 5000)
>> > +++ core/data/fuzzer/fuzzer.py (working copy)
>> > @@ -498,7 +498,10 @@
>> > m.setVar( pname, index=element_index )
>> > m.setDc( dc_copy )
>> > m.setOriginalValue( original_value )
>> > - m.setModValue( mutant_str )
>> > + if(append):
>> > + m.setModValue( original_value+''+mutant_str )
>> > + else:
>> > + m.setModValue( mutant_str )
>> >
>> > # Done, add it to the result
>> > result.append( m )
>>
>> The patch seems to have a syntax error here:
>> original_value+''+mutant_str (note the " in the middle of the two
>> +).
>>
>> It looks like we need more unit-testing for the fuzzer in order to
>> avoid things like this! Any takers for that task?
>>
>> Once the patch is fixed and tested, please send again and I'll commit it.
>>
>> > I'm not sure if any other methods in fuzzer.py should also be fixed
>> > since
>> > I've never used them before. Looking at the code it's a little unclear;
>> > _createFileNameMutants and _createUrlPartsMutants do something with the
>> > append flag but I haven't tested it to be sure.
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> > Discussions
>> > will include endpoint security, mobile security and the latest in
>> > malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > W3af-develop mailing list
>> > W3af-develop@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
